-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Support expiry of refresh tokens and expiry of the overall session when refresh tokens are in use. #11425
Conversation
as they're now compatible
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems reasonable.
I wasn't 100% clear on what refreshing did to access tokens. I think they extend their lifetime, but I didn't see a test that checked this by trying to use an access token after it had been refreshed.
I think you're also forbidden from using the same refresh token twice. Don't understand the security behind this, but that sounds like an important enough point to merit a test case.
tests/rest/client/test_auth.py
Outdated
# Advance 119 seconds in the future (just shy of 2 minutes) | ||
self.reactor.advance(119.0) | ||
|
||
# Refresh our access token. It should still JUST be valid right now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't it be valid for a fresh batch of 2 minutes? Otherwise, why are you waiting 121 seconds below rather than 2 seconds?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, if I understand correctly:
- at this point the access token has expired, so you shouldn't be able to use it
- using the refresh token will allow us to use the access token again(?)
- If so, do we test this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right in saying there should be more tests.
using the refresh token will allow us to use the access token again(?)
It creates a new access token :). It's actually pretty tricky to invalidate the caches on other Synapse workers to extend a token's lifetime (I looked into this before we switched track to refresh tokens for a customer), it's actually easier to create a fresh token. (Also, creating a new token is kind of how refresh tokens protect against access token disclosure, since the leaked access token dies out and never is valid again.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't it be valid for a fresh batch of 2 minutes? Otherwise, why are you waiting 121 seconds below rather than 2 seconds?
Yes. I think there must be something unclear about the test since I think the test is right, though I'm not sure I understand what you're asking.
Here, we first test that a refresh (of R1) works within 119 seconds of issuance (less than 2 minutes; this produces R2) but a refresh (of R2) fails after 121 seconds of issuance (of R2).
Perhaps one thing that would help would be to not reuse the same variable name.
I will tweak some comments / names and see if it pleases you more
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, I think those changes are good. What I hadn't groked was that on line +659 we now have a second (new) access token.
The phrase "refresh our access token" on +671 makes me think of keeping the same access token around, but delaying its expiry. Perhaps it would be clearer to speak of "requesting a new access token" or "refreshing/extending the session" here and in #11427?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, that is clearer!
@DMRobertson This helps to reduce the impact of a refresh token leakage. See the last section of the MSC: https://github.com/matrix-org/matrix-doc/blob/main/proposals/2918-refreshtokens.md#detailed-rationale |
for what it's worth, #11427 is a draft of the Synapse documentation I want to add for this feature. It might or might not help your understanding — it's also a good chance to tell me if the doc is missing anything critical before you understand it too well to notice :) |
…rrect life in practice
My predecessor already thought of this: Please do let me know if you spot any other tests I should include! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. I've suggested a potentially useful rephrasing in https://github.com/matrix-org/synapse/pull/11425/files#r757509947 , but I leave that at your discretion---I might be splitting hairs there.
…en, to reduce confusion
Synapse 1.49.0 (2021-12-14) =========================== No significant changes since version 1.49.0rc1. Support for Ubuntu 21.04 ends next month on the 20th of January --------------------------------------------------------------- For users of Ubuntu 21.04 (Hirsute Hippo), please be aware that [upstream support for this version of Ubuntu will end next month][Ubuntu2104EOL]. We will stop producing packages for Ubuntu 21.04 after upstream support ends. [Ubuntu2104EOL]: https://lists.ubuntu.com/archives/ubuntu-announce/2021-December/000275.html The wiki has been migrated to the documentation website ------------------------------------------------------- We've decided to move the existing, somewhat stagnant pages from the GitHub wiki to the [documentation website](https://matrix-org.github.io/synapse/latest/). This was done for two reasons. The first was to ensure that changes are checked by multiple authors before being committed (everyone makes mistakes!) and the second was visibility of the documentation. Not everyone knows that Synapse has some very useful information hidden away in its GitHub wiki pages. Bringing them to the documentation website should help with visibility, as well as keep all Synapse documentation in one, easily-searchable location. Note that contributions to the documentation website happen through [GitHub pull requests](https://github.com/matrix-org/synapse/pulls). Please visit [#synapse-dev:matrix.org](https://matrix.to/#/#synapse-dev:matrix.org) if you need help with the process! Synapse 1.49.0rc1 (2021-12-07) ============================== Features -------- - Add [MSC3030](matrix-org/matrix-spec-proposals#3030) experimental client and federation API endpoints to get the closest event to a given timestamp. ([\#9445](#9445)) - Include bundled relation aggregations during a limited `/sync` request and `/relations` request, per [MSC2675](matrix-org/matrix-spec-proposals#2675). ([\#11284](#11284), [\#11478](#11478)) - Add plugin support for controlling database background updates. ([\#11306](#11306), [\#11475](#11475), [\#11479](#11479)) - Support the stable API endpoints for [MSC2946](matrix-org/matrix-spec-proposals#2946): the room `/hierarchy` endpoint. ([\#11329](#11329)) - Add admin API to get some information about federation status with remote servers. ([\#11407](#11407)) - Support expiry of refresh tokens and expiry of the overall session when refresh tokens are in use. ([\#11425](#11425)) - Stabilise support for [MSC2918](https://github.com/matrix-org/matrix-doc/blob/main/proposals/2918-refreshtokens.md#msc2918-refresh-tokens) refresh tokens as they have now been merged into the Matrix specification. ([\#11435](#11435), [\#11522](#11522)) - Update [MSC2918 refresh token](https://github.com/matrix-org/matrix-doc/blob/main/proposals/2918-refreshtokens.md#msc2918-refresh-tokens) support to confirm with the latest revision: accept the `refresh_tokens` parameter in the request body rather than in the URL parameters. ([\#11430](#11430)) - Support configuring the lifetime of non-refreshable access tokens separately to refreshable access tokens. ([\#11445](#11445)) - Expose `synapse_homeserver` and `synapse_worker` commands as entry points to run Synapse's main process and worker processes, respectively. Contributed by @Ma27. ([\#11449](#11449)) - `synctl stop` will now wait for Synapse to exit before returning. ([\#11459](#11459), [\#11490](#11490)) - Extend the "delete room" admin api to work correctly on rooms which have previously been partially deleted. ([\#11523](#11523)) - Add support for the `/_matrix/client/v3/login/sso/redirect/{idpId}` API from Matrix v1.1. This endpoint was overlooked when support for v3 endpoints was added in Synapse 1.48.0rc1. ([\#11451](#11451)) Bugfixes -------- - Fix using [MSC2716](matrix-org/matrix-spec-proposals#2716) batch sending in combination with event persistence workers. Contributed by @tulir at Beeper. ([\#11220](#11220)) - Fix a long-standing bug where all requests that read events from the database could get stuck as a result of losing the database connection, properly this time. Also fix a race condition introduced in the previous insufficient fix in Synapse 1.47.0. ([\#11376](#11376)) - The `/send_join` response now includes the stable `event` field instead of the unstable field from [MSC3083](matrix-org/matrix-spec-proposals#3083). ([\#11413](#11413)) - Fix a bug introduced in Synapse 1.47.0 where `send_join` could fail due to an outdated `ijson` version. ([\#11439](#11439), [\#11441](#11441), [\#11460](#11460)) - Fix a bug introduced in Synapse 1.36.0 which could cause problems fetching event-signing keys from trusted key servers. ([\#11440](#11440)) - Fix a bug introduced in Synapse 1.47.1 where the media repository would fail to work if the media store path contained any symbolic links. ([\#11446](#11446)) - Fix an `LruCache` corruption bug, introduced in Synapse 1.38.0, that would cause certain requests to fail until the next Synapse restart. ([\#11454](#11454)) - Fix a long-standing bug where invites from ignored users were included in incremental syncs. ([\#11511](#11511)) - Fix a regression in Synapse 1.48.0 where presence workers would not clear their presence updates over replication on shutdown. ([\#11518](#11518)) - Fix a regression in Synapse 1.48.0 where the module API's `looping_background_call` method would spam errors to the logs when given a non-async function. ([\#11524](#11524)) Updates to the Docker image --------------------------- - Update `Dockerfile-workers` to healthcheck all workers in the container. ([\#11429](#11429)) Improved Documentation ---------------------- - Update the media repository documentation. ([\#11415](#11415)) - Update section about backward extremities in the room DAG concepts doc to correct the misconception about backward extremities indicating whether we have fetched an events' `prev_events`. ([\#11469](#11469)) Internal Changes ---------------- - Add `Final` annotation to string constants in `synapse.api.constants` so that they get typed as `Literal`s. ([\#11356](#11356)) - Add a check to ensure that users cannot start the Synapse master process when `worker_app` is set. ([\#11416](#11416)) - Add a note about postgres memory management and hugepages to postgres doc. ([\#11467](#11467)) - Add missing type hints to `synapse.config` module. ([\#11465](#11465)) - Add missing type hints to `synapse.federation`. ([\#11483](#11483)) - Add type annotations to `tests.storage.test_appservice`. ([\#11488](#11488), [\#11492](#11492)) - Add type annotations to some of the configuration surrounding refresh tokens. ([\#11428](#11428)) - Add type hints to `synapse/tests/rest/admin`. ([\#11501](#11501)) - Add type hints to storage classes. ([\#11411](#11411)) - Add wiki pages to documentation website. ([\#11402](#11402)) - Clean up `tests.storage.test_main` to remove use of legacy code. ([\#11493](#11493)) - Clean up `tests.test_visibility` to remove legacy code. ([\#11495](#11495)) - Convert status codes to `HTTPStatus` in `synapse.rest.admin`. ([\#11452](#11452), [\#11455](#11455)) - Extend the `scripts-dev/sign_json` script to support signing events. ([\#11486](#11486)) - Improve internal types in push code. ([\#11409](#11409)) - Improve type annotations in `synapse.module_api`. ([\#11029](#11029)) - Improve type hints for `LruCache`. ([\#11453](#11453)) - Preparation for database schema simplifications: disambiguate queries on `state_key`. ([\#11497](#11497)) - Refactor `backfilled` into specific behavior function arguments (`_persist_events_and_state_updates` and downstream calls). ([\#11417](#11417)) - Refactor `get_version_string` to fix-up types and duplicated code. ([\#11468](#11468)) - Refactor various parts of the `/sync` handler. ([\#11494](#11494), [\#11515](#11515)) - Remove unnecessary `json.dumps` from `tests.rest.admin`. ([\#11461](#11461)) - Save the OpenID Connect session ID on login. ([\#11482](#11482)) - Update and clean up recently ported documentation pages. ([\#11466](#11466))
Synapse 1.49.0 (2021-12-14) =========================== No significant changes since version 1.49.0rc1. Support for Ubuntu 21.04 ends next month on the 20th of January --------------------------------------------------------------- For users of Ubuntu 21.04 (Hirsute Hippo), please be aware that [upstream support for this version of Ubuntu will end next month][Ubuntu2104EOL]. We will stop producing packages for Ubuntu 21.04 after upstream support ends. [Ubuntu2104EOL]: https://lists.ubuntu.com/archives/ubuntu-announce/2021-December/000275.html The wiki has been migrated to the documentation website ------------------------------------------------------- We've decided to move the existing, somewhat stagnant pages from the GitHub wiki to the [documentation website](https://matrix-org.github.io/synapse/latest/). This was done for two reasons. The first was to ensure that changes are checked by multiple authors before being committed (everyone makes mistakes!) and the second was visibility of the documentation. Not everyone knows that Synapse has some very useful information hidden away in its GitHub wiki pages. Bringing them to the documentation website should help with visibility, as well as keep all Synapse documentation in one, easily-searchable location. Note that contributions to the documentation website happen through [GitHub pull requests](https://github.com/matrix-org/synapse/pulls). Please visit [#synapse-dev:matrix.org](https://matrix.to/#/#synapse-dev:matrix.org) if you need help with the process! Synapse 1.49.0rc1 (2021-12-07) ============================== Features -------- - Add [MSC3030](matrix-org/matrix-spec-proposals#3030) experimental client and federation API endpoints to get the closest event to a given timestamp. ([\matrix-org#9445](matrix-org#9445)) - Include bundled relation aggregations during a limited `/sync` request and `/relations` request, per [MSC2675](matrix-org/matrix-spec-proposals#2675). ([\matrix-org#11284](matrix-org#11284), [\matrix-org#11478](matrix-org#11478)) - Add plugin support for controlling database background updates. ([\matrix-org#11306](matrix-org#11306), [\matrix-org#11475](matrix-org#11475), [\matrix-org#11479](matrix-org#11479)) - Support the stable API endpoints for [MSC2946](matrix-org/matrix-spec-proposals#2946): the room `/hierarchy` endpoint. ([\matrix-org#11329](matrix-org#11329)) - Add admin API to get some information about federation status with remote servers. ([\matrix-org#11407](matrix-org#11407)) - Support expiry of refresh tokens and expiry of the overall session when refresh tokens are in use. ([\matrix-org#11425](matrix-org#11425)) - Stabilise support for [MSC2918](https://github.com/matrix-org/matrix-doc/blob/main/proposals/2918-refreshtokens.md#msc2918-refresh-tokens) refresh tokens as they have now been merged into the Matrix specification. ([\matrix-org#11435](matrix-org#11435), [\matrix-org#11522](matrix-org#11522)) - Update [MSC2918 refresh token](https://github.com/matrix-org/matrix-doc/blob/main/proposals/2918-refreshtokens.md#msc2918-refresh-tokens) support to confirm with the latest revision: accept the `refresh_tokens` parameter in the request body rather than in the URL parameters. ([\matrix-org#11430](matrix-org#11430)) - Support configuring the lifetime of non-refreshable access tokens separately to refreshable access tokens. ([\matrix-org#11445](matrix-org#11445)) - Expose `synapse_homeserver` and `synapse_worker` commands as entry points to run Synapse's main process and worker processes, respectively. Contributed by @Ma27. ([\matrix-org#11449](matrix-org#11449)) - `synctl stop` will now wait for Synapse to exit before returning. ([\matrix-org#11459](matrix-org#11459), [\matrix-org#11490](matrix-org#11490)) - Extend the "delete room" admin api to work correctly on rooms which have previously been partially deleted. ([\matrix-org#11523](matrix-org#11523)) - Add support for the `/_matrix/client/v3/login/sso/redirect/{idpId}` API from Matrix v1.1. This endpoint was overlooked when support for v3 endpoints was added in Synapse 1.48.0rc1. ([\matrix-org#11451](matrix-org#11451)) Bugfixes -------- - Fix using [MSC2716](matrix-org/matrix-spec-proposals#2716) batch sending in combination with event persistence workers. Contributed by @tulir at Beeper. ([\matrix-org#11220](matrix-org#11220)) - Fix a long-standing bug where all requests that read events from the database could get stuck as a result of losing the database connection, properly this time. Also fix a race condition introduced in the previous insufficient fix in Synapse 1.47.0. ([\matrix-org#11376](matrix-org#11376)) - The `/send_join` response now includes the stable `event` field instead of the unstable field from [MSC3083](matrix-org/matrix-spec-proposals#3083). ([\matrix-org#11413](matrix-org#11413)) - Fix a bug introduced in Synapse 1.47.0 where `send_join` could fail due to an outdated `ijson` version. ([\matrix-org#11439](matrix-org#11439), [\matrix-org#11441](matrix-org#11441), [\matrix-org#11460](matrix-org#11460)) - Fix a bug introduced in Synapse 1.36.0 which could cause problems fetching event-signing keys from trusted key servers. ([\matrix-org#11440](matrix-org#11440)) - Fix a bug introduced in Synapse 1.47.1 where the media repository would fail to work if the media store path contained any symbolic links. ([\matrix-org#11446](matrix-org#11446)) - Fix an `LruCache` corruption bug, introduced in Synapse 1.38.0, that would cause certain requests to fail until the next Synapse restart. ([\matrix-org#11454](matrix-org#11454)) - Fix a long-standing bug where invites from ignored users were included in incremental syncs. ([\matrix-org#11511](matrix-org#11511)) - Fix a regression in Synapse 1.48.0 where presence workers would not clear their presence updates over replication on shutdown. ([\matrix-org#11518](matrix-org#11518)) - Fix a regression in Synapse 1.48.0 where the module API's `looping_background_call` method would spam errors to the logs when given a non-async function. ([\matrix-org#11524](matrix-org#11524)) Updates to the Docker image --------------------------- - Update `Dockerfile-workers` to healthcheck all workers in the container. ([\matrix-org#11429](matrix-org#11429)) Improved Documentation ---------------------- - Update the media repository documentation. ([\matrix-org#11415](matrix-org#11415)) - Update section about backward extremities in the room DAG concepts doc to correct the misconception about backward extremities indicating whether we have fetched an events' `prev_events`. ([\matrix-org#11469](matrix-org#11469)) Internal Changes ---------------- - Add `Final` annotation to string constants in `synapse.api.constants` so that they get typed as `Literal`s. ([\matrix-org#11356](matrix-org#11356)) - Add a check to ensure that users cannot start the Synapse master process when `worker_app` is set. ([\matrix-org#11416](matrix-org#11416)) - Add a note about postgres memory management and hugepages to postgres doc. ([\matrix-org#11467](matrix-org#11467)) - Add missing type hints to `synapse.config` module. ([\matrix-org#11465](matrix-org#11465)) - Add missing type hints to `synapse.federation`. ([\matrix-org#11483](matrix-org#11483)) - Add type annotations to `tests.storage.test_appservice`. ([\matrix-org#11488](matrix-org#11488), [\matrix-org#11492](matrix-org#11492)) - Add type annotations to some of the configuration surrounding refresh tokens. ([\matrix-org#11428](matrix-org#11428)) - Add type hints to `synapse/tests/rest/admin`. ([\matrix-org#11501](matrix-org#11501)) - Add type hints to storage classes. ([\matrix-org#11411](matrix-org#11411)) - Add wiki pages to documentation website. ([\matrix-org#11402](matrix-org#11402)) - Clean up `tests.storage.test_main` to remove use of legacy code. ([\matrix-org#11493](matrix-org#11493)) - Clean up `tests.test_visibility` to remove legacy code. ([\matrix-org#11495](matrix-org#11495)) - Convert status codes to `HTTPStatus` in `synapse.rest.admin`. ([\matrix-org#11452](matrix-org#11452), [\matrix-org#11455](matrix-org#11455)) - Extend the `scripts-dev/sign_json` script to support signing events. ([\matrix-org#11486](matrix-org#11486)) - Improve internal types in push code. ([\matrix-org#11409](matrix-org#11409)) - Improve type annotations in `synapse.module_api`. ([\matrix-org#11029](matrix-org#11029)) - Improve type hints for `LruCache`. ([\matrix-org#11453](matrix-org#11453)) - Preparation for database schema simplifications: disambiguate queries on `state_key`. ([\matrix-org#11497](matrix-org#11497)) - Refactor `backfilled` into specific behavior function arguments (`_persist_events_and_state_updates` and downstream calls). ([\matrix-org#11417](matrix-org#11417)) - Refactor `get_version_string` to fix-up types and duplicated code. ([\matrix-org#11468](matrix-org#11468)) - Refactor various parts of the `/sync` handler. ([\matrix-org#11494](matrix-org#11494), [\matrix-org#11515](matrix-org#11515)) - Remove unnecessary `json.dumps` from `tests.rest.admin`. ([\matrix-org#11461](matrix-org#11461)) - Save the OpenID Connect session ID on login. ([\matrix-org#11482](matrix-org#11482)) - Update and clean up recently ported documentation pages. ([\matrix-org#11466](matrix-org#11466))
Synapse 1.51.0 (2022-01-25) =========================== No significant changes since 1.51.0rc2. Synapse 1.51.0 deprecates `webclient` listeners and non-HTTP(S) `web_client_location`s. Support for these will be removed in Synapse 1.53.0, at which point Synapse will not be capable of directly serving a web client for Matrix. Synapse 1.51.0rc2 (2022-01-24) ============================== Bugfixes -------- - Fix a bug introduced in Synapse 1.40.0 that caused Synapse to fail to process incoming federation traffic after handling a large amount of events in a v1 room. ([\#11806](matrix-org/synapse#11806)) Synapse 1.51.0rc1 (2022-01-21) ============================== Features -------- - Add `track_puppeted_user_ips` config flag to record client IP addresses against puppeted users, and include the puppeted users in monthly active user counts. ([\#11561](matrix-org/synapse#11561), [\#11749](matrix-org/synapse#11749), [\#11757](matrix-org/synapse#11757)) - Include whether the requesting user has participated in a thread when generating a summary for [MSC3440](matrix-org/matrix-spec-proposals#3440). ([\#11577](matrix-org/synapse#11577)) - Return an `M_FORBIDDEN` error code instead of `M_UNKNOWN` when a spam checker module prevents a user from creating a room. ([\#11672](matrix-org/synapse#11672)) - Add a flag to the `synapse_review_recent_signups` script to ignore and filter appservice users. ([\#11675](matrix-org/synapse#11675), [\#11770](matrix-org/synapse#11770)) Bugfixes -------- - Fix a long-standing issue which could cause Synapse to incorrectly accept data in the unsigned field of events received over federation. ([\#11530](matrix-org/synapse#11530)) - Fix a long-standing bug where Synapse wouldn't cache a response indicating that a remote user has no devices. ([\#11587](matrix-org/synapse#11587)) - Fix an error that occurs whilst trying to get the federation status of a destination server that was working normally. This admin API was newly introduced in Synapse v1.49.0. ([\#11593](matrix-org/synapse#11593)) - Fix bundled aggregations not being included in the `/sync` response, per [MSC2675](matrix-org/matrix-spec-proposals#2675). ([\#11612](matrix-org/synapse#11612), [\#11659](matrix-org/synapse#11659), [\#11791](matrix-org/synapse#11791)) - Fix the `/_matrix/client/v1/room/{roomId}/hierarchy` endpoint returning incorrect fields which have been present since Synapse 1.49.0. ([\#11667](matrix-org/synapse#11667)) - Fix preview of some GIF URLs (like tenor.com). Contributed by Philippe Daouadi. ([\#11669](matrix-org/synapse#11669)) - Fix a bug where only the first 50 rooms from a space were returned from the `/hierarchy` API. This has existed since the introduction of the API in Synapse v1.41.0. ([\#11695](matrix-org/synapse#11695)) - Fix a bug introduced in Synapse v1.18.0 where password reset and address validation emails would not be sent if their subject was configured to use the 'app' template variable. Contributed by @br4nnigan. ([\#11710](matrix-org/synapse#11710), [\#11745](matrix-org/synapse#11745)) - Make the 'List Rooms' Admin API sort stable. Contributed by Daniël Sonck. ([\#11737](matrix-org/synapse#11737)) - Fix a long-standing bug where space hierarchy over federation would only work correctly some of the time. ([\#11775](matrix-org/synapse#11775)) - Fix a bug introduced in Synapse v1.46.0 that prevented `on_logged_out` module callbacks from being correctly awaited by Synapse. ([\#11786](matrix-org/synapse#11786)) Improved Documentation ---------------------- - Warn against using a Let's Encrypt certificate for TLS/DTLS TURN server client connections, and suggest using ZeroSSL certificate instead. This works around client-side connectivity errors caused by WebRTC libraries that reject Let's Encrypt certificates. Contibuted by @AndrewFerr. ([\#11686](matrix-org/synapse#11686)) - Document the new `SYNAPSE_TEST_PERSIST_SQLITE_DB` environment variable in the contributing guide. ([\#11715](matrix-org/synapse#11715)) - Document that the minimum supported PostgreSQL version is now 10. ([\#11725](matrix-org/synapse#11725)) - Fix typo in demo docs: differnt. ([\#11735](matrix-org/synapse#11735)) - Update room spec URL in config files. ([\#11739](matrix-org/synapse#11739)) - Mention `python3-venv` and `libpq-dev` dependencies in the contribution guide. ([\#11740](matrix-org/synapse#11740)) - Update documentation for configuring login with Facebook. ([\#11755](matrix-org/synapse#11755)) - Update installation instructions to note that Python 3.6 is no longer supported. ([\#11781](matrix-org/synapse#11781)) Deprecations and Removals ------------------------- - Remove the unstable `/send_relation` endpoint. ([\#11682](matrix-org/synapse#11682)) - Remove `python_twisted_reactor_pending_calls` Prometheus metric. ([\#11724](matrix-org/synapse#11724)) - Remove the `password_hash` field from the response dictionaries of the [Users Admin API](https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html). ([\#11576](matrix-org/synapse#11576)) - **Deprecate support for `webclient` listeners and non-HTTP(S) `web_client_location` configuration. ([\#11774](matrix-org/synapse#11774), [\#11783](matrix-org/synapse#11783 Internal Changes ---------------- - Run `pyupgrade --py37-plus --keep-percent-format` on Synapse. ([\#11685](matrix-org/synapse#11685)) - Use buildkit's cache feature to speed up docker builds. ([\#11691](matrix-org/synapse#11691)) - Use `auto_attribs` and native type hints for attrs classes. ([\#11692](matrix-org/synapse#11692), [\#11768](matrix-org/synapse#11768)) - Remove debug logging for #4422, which has been closed since Synapse 0.99. ([\#11693](matrix-org/synapse#11693)) - Remove fallback code for Python 2. ([\#11699](matrix-org/synapse#11699)) - Add a test for [an edge case](matrix-org/synapse#11532 (comment)) in the `/sync` logic. ([\#11701](matrix-org/synapse#11701)) - Add the option to write SQLite test dbs to disk when running tests. ([\#11702](matrix-org/synapse#11702)) - Improve Complement test output for Gitub Actions. ([\#11707](matrix-org/synapse#11707)) - Fix docstring on `add_account_data_for_user`. ([\#11716](matrix-org/synapse#11716)) - Complement environment variable name change and update `.gitignore`. ([\#11718](matrix-org/synapse#11718)) - Simplify calculation of Prometheus metrics for garbage collection. ([\#11723](matrix-org/synapse#11723)) - Improve accuracy of `python_twisted_reactor_tick_time` Prometheus metric. ([\#11724](matrix-org/synapse#11724), [\#11771](matrix-org/synapse#11771)) - Minor efficiency improvements when inserting many values into the database. ([\#11742](matrix-org/synapse#11742)) - Invite PR authors to give themselves credit in the changelog. ([\#11744](matrix-org/synapse#11744)) - Add optional debugging to investigate [issue 8631](matrix-org/synapse#8631). ([\#11760](matrix-org/synapse#11760)) - Remove `log_function` utility function and its uses. ([\#11761](matrix-org/synapse#11761)) - Add a unit test that checks both `client` and `webclient` resources will function when simultaneously enabled. ([\#11765](matrix-org/synapse#11765)) - Allow overriding complement commit using `COMPLEMENT_REF`. ([\#11766](matrix-org/synapse#11766)) - Add some comments and type annotations for `_update_outliers_txn`. ([\#11776](matrix-org/synapse#11776)) Synapse 1.50.1 (2022-01-18) =========================== This release fixes a bug in Synapse 1.50.0 that could prevent clients from being able to connect to Synapse if the `webclient` resource was enabled. Further details are available in [this issue](matrix-org/synapse#11763). Bugfixes -------- - Fix a bug introduced in Synapse 1.50.0rc1 that could cause Matrix clients to be unable to connect to Synapse instances with the `webclient` resource enabled. ([\#11764](matrix-org/synapse#11764)) Synapse 1.50.0 (2022-01-18) =========================== **This release contains a critical bug that may prevent clients from being able to connect. As such, it is not recommended to upgrade to 1.50.0. Instead, please upgrade straight to to 1.50.1. Further details are available in [this issue](matrix-org/synapse#11763 Please note that we now only support Python 3.7+ and PostgreSQL 10+ (if applicable), because Python 3.6 and PostgreSQL 9.6 have reached end-of-life. No significant changes since 1.50.0rc2. Synapse 1.50.0rc2 (2022-01-14) ============================== This release candidate fixes a federation-breaking regression introduced in Synapse 1.50.0rc1. Bugfixes -------- - Fix a bug introduced in Synapse v1.0.0 whereby some device list updates would not be sent to remote homeservers if there were too many to send at once. ([\#11729](matrix-org/synapse#11729)) - Fix a bug introduced in Synapse v1.50.0rc1 whereby outbound federation could fail because too many EDUs were produced for device updates. ([\#11730](matrix-org/synapse#11730)) Improved Documentation ---------------------- - Document that now the minimum supported PostgreSQL version is 10. ([\#11725](matrix-org/synapse#11725)) Internal Changes ---------------- - Fix a typechecker problem related to our (ab)use of `nacl.signing.SigningKey`s. ([\#11714](matrix-org/synapse#11714)) Synapse 1.50.0rc1 (2022-01-05) ============================== Features -------- - Allow guests to send state events per [MSC3419](matrix-org/matrix-spec-proposals#3419). ([\#11378](matrix-org/synapse#11378)) - Add experimental support for part of [MSC3202](matrix-org/matrix-spec-proposals#3202): allowing application services to masquerade as specific devices. ([\#11538](matrix-org/synapse#11538)) - Add admin API to get users' account data. ([\#11664](matrix-org/synapse#11664)) - Include the room topic in the stripped state included with invites and knocking. ([\#11666](matrix-org/synapse#11666)) - Send and handle cross-signing messages using the stable prefix. ([\#10520](matrix-org/synapse#10520)) - Support unprefixed versions of fallback key property names. ([\#11541](matrix-org/synapse#11541)) Bugfixes -------- - Fix a long-standing bug where relations from other rooms could be included in the bundled aggregations of an event. ([\#11516](matrix-org/synapse#11516)) - Fix a long-standing bug which could cause `AssertionError`s to be written to the log when Synapse was restarted after purging events from the database. ([\#11536](matrix-org/synapse#11536), [\#11642](matrix-org/synapse#11642)) - Fix a bug introduced in Synapse 1.17.0 where a pusher created for an email with capital letters would fail to be created. ([\#11547](matrix-org/synapse#11547)) - Fix a long-standing bug where responses included bundled aggregations when they should not, per [MSC2675](matrix-org/matrix-spec-proposals#2675). ([\#11592](matrix-org/synapse#11592), [\#11623](matrix-org/synapse#11623)) - Fix a long-standing bug that some unknown endpoints would return HTML error pages instead of JSON `M_UNRECOGNIZED` errors. ([\#11602](matrix-org/synapse#11602)) - Fix a bug introduced in Synapse 1.19.3 which could sometimes cause `AssertionError`s when backfilling rooms over federation. ([\#11632](matrix-org/synapse#11632)) Improved Documentation ---------------------- - Update Synapse install command for FreeBSD as the package is now prefixed with `py38`. Contributed by @itchychips. ([\#11267](matrix-org/synapse#11267)) - Document the usage of refresh tokens. ([\#11427](matrix-org/synapse#11427)) - Add details for how to configure a TURN server when behind a NAT. Contibuted by @AndrewFerr. ([\#11553](matrix-org/synapse#11553)) - Add references for using Postgres to the Docker documentation. ([\#11640](matrix-org/synapse#11640)) - Fix the documentation link in newly-generated configuration files. ([\#11678](matrix-org/synapse#11678)) - Correct the documentation for `nginx` to use a case-sensitive url pattern. Fixes an error introduced in v1.21.0. ([\#11680](matrix-org/synapse#11680)) - Clarify SSO mapping provider documentation by writing `def` or `async def` before the names of methods, as appropriate. ([\#11681](matrix-org/synapse#11681)) Deprecations and Removals ------------------------- - Replace `mock` package by its standard library version. ([\#11588](matrix-org/synapse#11588)) - Drop support for Python 3.6 and Ubuntu 18.04. ([\#11633](matrix-org/synapse#11633)) Internal Changes ---------------- - Allow specific, experimental events to be created without `prev_events`. Used by [MSC2716](matrix-org/matrix-spec-proposals#2716). ([\#11243](matrix-org/synapse#11243)) - A test helper (`wait_for_background_updates`) no longer depends on classes defining a `store` property. ([\#11331](matrix-org/synapse#11331)) - Add type hints to `synapse.appservice`. ([\#11360](matrix-org/synapse#11360)) - Add missing type hints to `synapse.config` module. ([\#11480](matrix-org/synapse#11480)) - Add test to ensure we share the same `state_group` across the whole historical batch when using the [MSC2716](matrix-org/matrix-spec-proposals#2716) `/batch_send` endpoint. ([\#11487](matrix-org/synapse#11487)) - Refactor `tests.util.setup_test_homeserver` and `tests.server.setup_test_homeserver`. ([\#11503](matrix-org/synapse#11503)) - Move `glob_to_regex` and `re_word_boundary` to `matrix-python-common`. ([\#11505](matrix-org/synapse#11505), [\#11687](matrix-org/synapse#11687)) - Use `HTTPStatus` constants in place of literals in `tests.rest.client.test_auth`. ([\#11520](matrix-org/synapse#11520)) - Add a receipt types constant for `m.read`. ([\#11531](matrix-org/synapse#11531)) - Clean up `synapse.rest.admin`. ([\#11535](matrix-org/synapse#11535)) - Add missing `errcode` to `parse_string` and `parse_boolean`. ([\#11542](matrix-org/synapse#11542)) - Use `HTTPStatus` constants in place of literals in `synapse.http`. ([\#11543](matrix-org/synapse#11543)) - Add missing type hints to storage classes. ([\#11546](matrix-org/synapse#11546), [\#11549](matrix-org/synapse#11549), [\#11551](matrix-org/synapse#11551), [\#11555](matrix-org/synapse#11555), [\#11575](matrix-org/synapse#11575), [\#11589](matrix-org/synapse#11589), [\#11594](matrix-org/synapse#11594), [\#11652](matrix-org/synapse#11652), [\#11653](matrix-org/synapse#11653), [\#11654](matrix-org/synapse#11654), [\#11657](matrix-org/synapse#11657)) - Fix an inaccurate and misleading comment in the `/sync` code. ([\#11550](matrix-org/synapse#11550)) - Add missing type hints to `synapse.logging.context`. ([\#11556](matrix-org/synapse#11556)) - Stop populating unused database column `state_events.prev_state`. ([\#11558](matrix-org/synapse#11558)) - Minor efficiency improvements in event persistence. ([\#11560](matrix-org/synapse#11560)) - Add some safety checks that storage functions are used correctly. ([\#11564](matrix-org/synapse#11564), [\#11580](matrix-org/synapse#11580)) - Make `get_device` return `None` if the device doesn't exist rather than raising an exception. ([\#11565](matrix-org/synapse#11565)) - Split the HTML parsing code from the URL preview resource code. ([\#11566](matrix-org/synapse#11566)) - Remove redundant `COALESCE()`s around `COUNT()`s in database queries. ([\#11570](matrix-org/synapse#11570)) - Add missing type hints to `synapse.http`. ([\#11571](matrix-org/synapse#11571)) - Add [MSC2716](matrix-org/matrix-spec-proposals#2716) and [MSC3030](matrix-org/matrix-spec-proposals#3030) to `/versions` -> `unstable_features` to detect server support. ([\#11582](matrix-org/synapse#11582)) - Add type hints to `synapse/tests/rest/admin`. ([\#11590](matrix-org/synapse#11590)) - Drop end-of-life Python 3.6 and Postgres 9.6 from CI. ([\#11595](matrix-org/synapse#11595)) - Update black version and run it on all the files. ([\#11596](matrix-org/synapse#11596)) - Add opentracing type stubs and fix associated mypy errors. ([\#11603](matrix-org/synapse#11603), [\#11622](matrix-org/synapse#11622)) - Improve OpenTracing support for requests which use a `ResponseCache`. ([\#11607](matrix-org/synapse#11607)) - Improve OpenTracing support for incoming HTTP requests. ([\#11618](matrix-org/synapse#11618)) - A number of improvements to opentracing support. ([\#11619](matrix-org/synapse#11619)) - Refactor the way that the `outlier` flag is set on events received over federation. ([\#11634](matrix-org/synapse#11634)) - Improve the error messages from `get_create_event_for_room`. ([\#11638](matrix-org/synapse#11638)) - Remove redundant `get_current_events_token` method. ([\#11643](matrix-org/synapse#11643)) - Convert `namedtuples` to `attrs`. ([\#11665](matrix-org/synapse#11665), [\#11574](matrix-org/synapse#11574)) - Update the `/capabilities` response to include whether support for [MSC3440](matrix-org/matrix-spec-proposals#3440) is available. ([\#11690](matrix-org/synapse#11690)) - Send the `Accept` header in HTTP requests made using `SimpleHttpClient.get_json`. ([\#11677](matrix-org/synapse#11677)) - Work around Mjolnir compatibility issue by adding an import for `glob_to_regex` in `synapse.util`, where it moved from. ([\#11696](matrix-org/synapse#11696)) Synapse 1.49.2 (2021-12-21) =========================== This release fixes a regression introduced in Synapse 1.49.0 which could cause `/sync` requests to take significantly longer. This would particularly affect "initial" syncs for users participating in a large number of rooms, and in extreme cases, could make it impossible for such users to log in on a new client. **Note:** in line with our [deprecation policy](https://matrix-org.github.io/synapse/latest/deprecation_policy.html) for platform dependencies, this will be the last release to support Python 3.6 and PostgreSQL 9.6, both of which have now reached upstream end-of-life. Synapse will require Python 3.7+ and PostgreSQL 10+. **Note:** We will also stop producing packages for Ubuntu 18.04 (Bionic Beaver) after this release, as it uses Python 3.6. Bugfixes -------- - Fix a performance regression in `/sync` handling, introduced in 1.49.0. ([\#11583](matrix-org/synapse#11583)) Internal Changes ---------------- - Work around a build problem on Debian Buster. ([\#11625](matrix-org/synapse#11625)) Synapse 1.49.1 (2021-12-21) =========================== Not released due to problems building the debian packages. Synapse 1.49.0 (2021-12-14) =========================== No significant changes since version 1.49.0rc1. Support for Ubuntu 21.04 ends next month on the 20th of January --------------------------------------------------------------- For users of Ubuntu 21.04 (Hirsute Hippo), please be aware that [upstream support for this version of Ubuntu will end next month][Ubuntu2104EOL]. We will stop producing packages for Ubuntu 21.04 after upstream support ends. [Ubuntu2104EOL]: https://lists.ubuntu.com/archives/ubuntu-announce/2021-December/000275.html The wiki has been migrated to the documentation website ------------------------------------------------------- We've decided to move the existing, somewhat stagnant pages from the GitHub wiki to the [documentation website](https://matrix-org.github.io/synapse/latest/). This was done for two reasons. The first was to ensure that changes are checked by multiple authors before being committed (everyone makes mistakes!) and the second was visibility of the documentation. Not everyone knows that Synapse has some very useful information hidden away in its GitHub wiki pages. Bringing them to the documentation website should help with visibility, as well as keep all Synapse documentation in one, easily-searchable location. Note that contributions to the documentation website happen through [GitHub pull requests](https://github.com/matrix-org/synapse/pulls). Please visit [#synapse-dev:matrix.org](https://matrix.to/#/#synapse-dev:matrix.org) if you need help with the process! Synapse 1.49.0rc1 (2021-12-07) ============================== Features -------- - Add [MSC3030](matrix-org/matrix-spec-proposals#3030) experimental client and federation API endpoints to get the closest event to a given timestamp. ([\#9445](matrix-org/synapse#9445)) - Include bundled relation aggregations during a limited `/sync` request and `/relations` request, per [MSC2675](matrix-org/matrix-spec-proposals#2675). ([\#11284](matrix-org/synapse#11284), [\#11478](matrix-org/synapse#11478)) - Add plugin support for controlling database background updates. ([\#11306](matrix-org/synapse#11306), [\#11475](matrix-org/synapse#11475), [\#11479](matrix-org/synapse#11479)) - Support the stable API endpoints for [MSC2946](matrix-org/matrix-spec-proposals#2946): the room `/hierarchy` endpoint. ([\#11329](matrix-org/synapse#11329)) - Add admin API to get some information about federation status with remote servers. ([\#11407](matrix-org/synapse#11407)) - Support expiry of refresh tokens and expiry of the overall session when refresh tokens are in use. ([\#11425](matrix-org/synapse#11425)) - Stabilise support for [MSC2918](https://github.com/matrix-org/matrix-doc/blob/main/proposals/2918-refreshtokens.md#msc2918-refresh-tokens) refresh tokens as they have now been merged into the Matrix specification. ([\#11435](matrix-org/synapse#11435), [\#11522](matrix-org/synapse#11522)) - Update [MSC2918 refresh token](https://github.com/matrix-org/matrix-doc/blob/main/proposals/2918-refreshtokens.md#msc2918-refresh-tokens) support to confirm with the latest revision: accept the `refresh_tokens` parameter in the request body rather than in the URL parameters. ([\#11430](matrix-org/synapse#11430)) - Support configuring the lifetime of non-refreshable access tokens separately to refreshable access tokens. ([\#11445](matrix-org/synapse#11445)) - Expose `synapse_homeserver` and `synapse_worker` commands as entry points to run Synapse's main process and worker processes, respectively. Contributed by @Ma27. ([\#11449](matrix-org/synapse#11449)) - `synctl stop` will now wait for Synapse to exit before returning. ([\#11459](matrix-org/synapse#11459), [\#11490](matrix-org/synapse#11490)) - Extend the "delete room" admin api to work correctly on rooms which have previously been partially deleted. ([\#11523](matrix-org/synapse#11523)) - Add support for the `/_matrix/client/v3/login/sso/redirect/{idpId}` API from Matrix v1.1. This endpoint was overlooked when support for v3 endpoints was added in Synapse 1.48.0rc1. ([\#11451](matrix-org/synapse#11451)) Bugfixes -------- - Fix using [MSC2716](matrix-org/matrix-spec-proposals#2716) batch sending in combination with event persistence workers. Contributed by @tulir at Beeper. ([\#11220](matrix-org/synapse#11220)) - Fix a long-standing bug where all requests that read events from the database could get stuck as a result of losing the database connection, properly this time. Also fix a race condition introduced in the previous insufficient fix in Synapse 1.47.0. ([\#11376](matrix-org/synapse#11376)) - The `/send_join` response now includes the stable `event` field instead of the unstable field from [MSC3083](matrix-org/matrix-spec-proposals#3083). ([\#11413](matrix-org/synapse#11413)) - Fix a bug introduced in Synapse 1.47.0 where `send_join` could fail due to an outdated `ijson` version. ([\#11439](matrix-org/synapse#11439), [\#11441](matrix-org/synapse#11441), [\#11460](matrix-org/synapse#11460)) - Fix a bug introduced in Synapse 1.36.0 which could cause problems fetching event-signing keys from trusted key servers. ([\#11440](matrix-org/synapse#11440)) - Fix a bug introduced in Synapse 1.47.1 where the media repository would fail to work if the media store path contained any symbolic links. ([\#11446](matrix-org/synapse#11446)) - Fix an `LruCache` corruption bug, introduced in Synapse 1.38.0, that would cause certain requests to fail until the next Synapse restart. ([\#11454](matrix-org/synapse#11454)) - Fix a long-standing bug where invites from ignored users were included in incremental syncs. ([\#11511](matrix-org/synapse#11511)) - Fix a regression in Synapse 1.48.0 where presence workers would not clear their presence updates over replication on shutdown. ([\#11518](matrix-org/synapse#11518)) - Fix a regression in Synapse 1.48.0 where the module API's `looping_background_call` method would spam errors to the logs when given a non-async function. ([\#11524](matrix-org/synapse#11524)) Updates to the Docker image --------------------------- - Update `Dockerfile-workers` to healthcheck all workers in the container. ([\#11429](matrix-org/synapse#11429)) Improved Documentation ---------------------- - Update the media repository documentation. ([\#11415](matrix-org/synapse#11415)) - Update section about backward extremities in the room DAG concepts doc to correct the misconception about backward extremities indicating whether we have fetched an events' `prev_events`. ([\#11469](matrix-org/synapse#11469)) Internal Changes ---------------- - Add `Final` annotation to string constants in `synapse.api.constants` so that they get typed as `Literal`s. ([\#11356](matrix-org/synapse#11356)) - Add a check to ensure that users cannot start the Synapse master process when `worker_app` is set. ([\#11416](matrix-org/synapse#11416)) - Add a note about postgres memory management and hugepages to postgres doc. ([\#11467](matrix-org/synapse#11467)) - Add missing type hints to `synapse.config` module. ([\#11465](matrix-org/synapse#11465)) - Add missing type hints to `synapse.federation`. ([\#11483](matrix-org/synapse#11483)) - Add type annotations to `tests.storage.test_appservice`. ([\#11488](matrix-org/synapse#11488), [\#11492](matrix-org/synapse#11492)) - Add type annotations to some of the configuration surrounding refresh tokens. ([\#11428](matrix-org/synapse#11428)) - Add type hints to `synapse/tests/rest/admin`. ([\#11501](matrix-org/synapse#11501)) - Add type hints to storage classes. ([\#11411](matrix-org/synapse#11411)) - Add wiki pages to documentation website. ([\#11402](matrix-org/synapse#11402)) - Clean up `tests.storage.test_main` to remove use of legacy code. ([\#11493](matrix-org/synapse#11493)) - Clean up `tests.test_visibility` to remove legacy code. ([\#11495](matrix-org/synapse#11495)) - Convert status codes to `HTTPStatus` in `synapse.rest.admin`. ([\#11452](matrix-org/synapse#11452), [\#11455](matrix-org/synapse#11455)) - Extend the `scripts-dev/sign_json` script to support signing events. ([\#11486](matrix-org/synapse#11486)) - Improve internal types in push code. ([\#11409](matrix-org/synapse#11409)) - Improve type annotations in `synapse.module_api`. ([\#11029](matrix-org/synapse#11029)) - Improve type hints for `LruCache`. ([\#11453](matrix-org/synapse#11453)) - Preparation for database schema simplifications: disambiguate queries on `state_key`. ([\#11497](matrix-org/synapse#11497)) - Refactor `backfilled` into specific behavior function arguments (`_persist_events_and_state_updates` and downstream calls). ([\#11417](matrix-org/synapse#11417)) - Refactor `get_version_string` to fix-up types and duplicated code. ([\#11468](matrix-org/synapse#11468)) - Refactor various parts of the `/sync` handler. ([\#11494](matrix-org/synapse#11494), [\#11515](matrix-org/synapse#11515)) - Remove unnecessary `json.dumps` from `tests.rest.admin`. ([\#11461](matrix-org/synapse#11461)) - Save the OpenID Connect session ID on login. ([\#11482](matrix-org/synapse#11482)) - Update and clean up recently ported documentation pages. ([\#11466](matrix-org/synapse#11466))
Synapse 1.49.0 (2021-12-14) =========================== No significant changes since version 1.49.0rc1. Support for Ubuntu 21.04 ends next month on the 20th of January --------------------------------------------------------------- For users of Ubuntu 21.04 (Hirsute Hippo), please be aware that [upstream support for this version of Ubuntu will end next month][Ubuntu2104EOL]. We will stop producing packages for Ubuntu 21.04 after upstream support ends. [Ubuntu2104EOL]: https://lists.ubuntu.com/archives/ubuntu-announce/2021-December/000275.html The wiki has been migrated to the documentation website ------------------------------------------------------- We've decided to move the existing, somewhat stagnant pages from the GitHub wiki to the [documentation website](https://matrix-org.github.io/synapse/latest/). This was done for two reasons. The first was to ensure that changes are checked by multiple authors before being committed (everyone makes mistakes!) and the second was visibility of the documentation. Not everyone knows that Synapse has some very useful information hidden away in its GitHub wiki pages. Bringing them to the documentation website should help with visibility, as well as keep all Synapse documentation in one, easily-searchable location. Note that contributions to the documentation website happen through [GitHub pull requests](https://github.com/matrix-org/synapse/pulls). Please visit [#synapse-dev:matrix.org](https://matrix.to/#/#synapse-dev:matrix.org) if you need help with the process! Synapse 1.49.0rc1 (2021-12-07) ============================== Features -------- - Add [MSC3030](matrix-org/matrix-spec-proposals#3030) experimental client and federation API endpoints to get the closest event to a given timestamp. ([\#9445](matrix-org/synapse#9445)) - Include bundled relation aggregations during a limited `/sync` request and `/relations` request, per [MSC2675](matrix-org/matrix-spec-proposals#2675). ([\#11284](matrix-org/synapse#11284), [\#11478](matrix-org/synapse#11478)) - Add plugin support for controlling database background updates. ([\#11306](matrix-org/synapse#11306), [\#11475](matrix-org/synapse#11475), [\#11479](matrix-org/synapse#11479)) - Support the stable API endpoints for [MSC2946](matrix-org/matrix-spec-proposals#2946): the room `/hierarchy` endpoint. ([\#11329](matrix-org/synapse#11329)) - Add admin API to get some information about federation status with remote servers. ([\#11407](matrix-org/synapse#11407)) - Support expiry of refresh tokens and expiry of the overall session when refresh tokens are in use. ([\#11425](matrix-org/synapse#11425)) - Stabilise support for [MSC2918](https://github.com/matrix-org/matrix-doc/blob/main/proposals/2918-refreshtokens.md#msc2918-refresh-tokens) refresh tokens as they have now been merged into the Matrix specification. ([\#11435](matrix-org/synapse#11435), [\#11522](matrix-org/synapse#11522)) - Update [MSC2918 refresh token](https://github.com/matrix-org/matrix-doc/blob/main/proposals/2918-refreshtokens.md#msc2918-refresh-tokens) support to confirm with the latest revision: accept the `refresh_tokens` parameter in the request body rather than in the URL parameters. ([\#11430](matrix-org/synapse#11430)) - Support configuring the lifetime of non-refreshable access tokens separately to refreshable access tokens. ([\#11445](matrix-org/synapse#11445)) - Expose `synapse_homeserver` and `synapse_worker` commands as entry points to run Synapse's main process and worker processes, respectively. Contributed by @Ma27. ([\#11449](matrix-org/synapse#11449)) - `synctl stop` will now wait for Synapse to exit before returning. ([\#11459](matrix-org/synapse#11459), [\#11490](matrix-org/synapse#11490)) - Extend the "delete room" admin api to work correctly on rooms which have previously been partially deleted. ([\#11523](matrix-org/synapse#11523)) - Add support for the `/_matrix/client/v3/login/sso/redirect/{idpId}` API from Matrix v1.1. This endpoint was overlooked when support for v3 endpoints was added in Synapse 1.48.0rc1. ([\#11451](matrix-org/synapse#11451)) Bugfixes -------- - Fix using [MSC2716](matrix-org/matrix-spec-proposals#2716) batch sending in combination with event persistence workers. Contributed by @tulir at Beeper. ([\#11220](matrix-org/synapse#11220)) - Fix a long-standing bug where all requests that read events from the database could get stuck as a result of losing the database connection, properly this time. Also fix a race condition introduced in the previous insufficient fix in Synapse 1.47.0. ([\#11376](matrix-org/synapse#11376)) - The `/send_join` response now includes the stable `event` field instead of the unstable field from [MSC3083](matrix-org/matrix-spec-proposals#3083). ([\#11413](matrix-org/synapse#11413)) - Fix a bug introduced in Synapse 1.47.0 where `send_join` could fail due to an outdated `ijson` version. ([\#11439](matrix-org/synapse#11439), [\#11441](matrix-org/synapse#11441), [\#11460](matrix-org/synapse#11460)) - Fix a bug introduced in Synapse 1.36.0 which could cause problems fetching event-signing keys from trusted key servers. ([\#11440](matrix-org/synapse#11440)) - Fix a bug introduced in Synapse 1.47.1 where the media repository would fail to work if the media store path contained any symbolic links. ([\#11446](matrix-org/synapse#11446)) - Fix an `LruCache` corruption bug, introduced in Synapse 1.38.0, that would cause certain requests to fail until the next Synapse restart. ([\#11454](matrix-org/synapse#11454)) - Fix a long-standing bug where invites from ignored users were included in incremental syncs. ([\#11511](matrix-org/synapse#11511)) - Fix a regression in Synapse 1.48.0 where presence workers would not clear their presence updates over replication on shutdown. ([\#11518](matrix-org/synapse#11518)) - Fix a regression in Synapse 1.48.0 where the module API's `looping_background_call` method would spam errors to the logs when given a non-async function. ([\#11524](matrix-org/synapse#11524)) Updates to the Docker image --------------------------- - Update `Dockerfile-workers` to healthcheck all workers in the container. ([\#11429](matrix-org/synapse#11429)) Improved Documentation ---------------------- - Update the media repository documentation. ([\#11415](matrix-org/synapse#11415)) - Update section about backward extremities in the room DAG concepts doc to correct the misconception about backward extremities indicating whether we have fetched an events' `prev_events`. ([\#11469](matrix-org/synapse#11469)) Internal Changes ---------------- - Add `Final` annotation to string constants in `synapse.api.constants` so that they get typed as `Literal`s. ([\#11356](matrix-org/synapse#11356)) - Add a check to ensure that users cannot start the Synapse master process when `worker_app` is set. ([\#11416](matrix-org/synapse#11416)) - Add a note about postgres memory management and hugepages to postgres doc. ([\#11467](matrix-org/synapse#11467)) - Add missing type hints to `synapse.config` module. ([\#11465](matrix-org/synapse#11465)) - Add missing type hints to `synapse.federation`. ([\#11483](matrix-org/synapse#11483)) - Add type annotations to `tests.storage.test_appservice`. ([\#11488](matrix-org/synapse#11488), [\#11492](matrix-org/synapse#11492)) - Add type annotations to some of the configuration surrounding refresh tokens. ([\#11428](matrix-org/synapse#11428)) - Add type hints to `synapse/tests/rest/admin`. ([\#11501](matrix-org/synapse#11501)) - Add type hints to storage classes. ([\#11411](matrix-org/synapse#11411)) - Add wiki pages to documentation website. ([\#11402](matrix-org/synapse#11402)) - Clean up `tests.storage.test_main` to remove use of legacy code. ([\#11493](matrix-org/synapse#11493)) - Clean up `tests.test_visibility` to remove legacy code. ([\#11495](matrix-org/synapse#11495)) - Convert status codes to `HTTPStatus` in `synapse.rest.admin`. ([\#11452](matrix-org/synapse#11452), [\#11455](matrix-org/synapse#11455)) - Extend the `scripts-dev/sign_json` script to support signing events. ([\#11486](matrix-org/synapse#11486)) - Improve internal types in push code. ([\#11409](matrix-org/synapse#11409)) - Improve type annotations in `synapse.module_api`. ([\#11029](matrix-org/synapse#11029)) - Improve type hints for `LruCache`. ([\#11453](matrix-org/synapse#11453)) - Preparation for database schema simplifications: disambiguate queries on `state_key`. ([\#11497](matrix-org/synapse#11497)) - Refactor `backfilled` into specific behavior function arguments (`_persist_events_and_state_updates` and downstream calls). ([\#11417](matrix-org/synapse#11417)) - Refactor `get_version_string` to fix-up types and duplicated code. ([\#11468](matrix-org/synapse#11468)) - Refactor various parts of the `/sync` handler. ([\#11494](matrix-org/synapse#11494), [\#11515](matrix-org/synapse#11515)) - Remove unnecessary `json.dumps` from `tests.rest.admin`. ([\#11461](matrix-org/synapse#11461)) - Save the OpenID Connect session ID on login. ([\#11482](matrix-org/synapse#11482)) - Update and clean up recently ported documentation pages. ([\#11466](matrix-org/synapse#11466))
This is part of #11372.
The general idea is that a refresh token can be given a bounded lifetime, so that when your access tokens also have a bounded lifetime,
the client must refresh frequently enough or else get logged out for inactivity.
Refresh token expiry
Useful for providing auto-logout on inactivity.
If you set your refresh token lifetime to
R
and your access token lifetime toA
(and assuming the refresh token lifetime is longer than that of the access tokens), then a client:(here, by 'logged out' I mean logged out in such a way that the client can't use a refresh token to get access again).
(Ultimate) session lifetime
This is an upper bound on the length of the session as a whole; no matter how much the client uses refresh tokens, it will have to reauthenticate after this time.
Previously, the refresh token mechanism was incompatible with
session_lifetime
.